Where have all the APTs gone? A discussion of tradecraft accelerationism or counter-counter-counter intel
Activity in cyberspace has gone through a massive transformation over the last few decades, with cyber threat intelligence emerging, and then evolving alongside with it. Despite maturing as an industry, it is harder than ever before to consistently detect, track, and cluster known intrusion sets and identify new activity. This presentation will describe the relationships between actor activity and discuss challenges in maintaining visibility as adversaries have changed their behavior over time. It will also examine the cascading effects of disclosure on adversary activity as a public good, including burning defenders ability to discover new activity as adversary’s reaction times continue to shorten, and strategic consequences on the closing window of our ability to detect the highest tier actors. Deterrence is one of the core tenets of cyber warfare strategy, and publicly outing campaigns to “impost cost” remains high on the list of options for response. However, this presentation will challenge the idea that public dissemination of information will operationally impact the perpetrators, and in fact, may end up harming our overall ability to detect and defend against them.
The sessions will be split into three parts: a presentation introducing these concepts with Q and A, a guided discussion among attendees, and a collaborative session to discuss alternatives for information dissemination, deterrence, and planning. Participation including additional examples and counter-examples at the tactical level, implications at the strategic level, and lively debate are encouraged.
MJ Emanuel is an incident response analyst at the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA). Her work focuses on industrial controls systems, threat intelligence, and forensics. She also teaches at the Alperovitch Institute at Johns Hopkins’ SAIS about critical infrastructure and cyber threat intelligence.